Large-scale organizations require large-scale computer networks, or intranets, consisting of many computers all interconnected to a variety of servers and data sources. For Windows™ based systems, a common configuration for these intranets is to organize groups of systems into “domains”: a group of many systems under the supervision of a single (or multiple) domain controller machine(s). This architecture allows a system administrator to make domain-wide changes to the configuration of individual machines all from a single location. Ensuring that all the machines in the domain have some common elements configured identically is essential to the proper functioning of a domain and to lowering the total cost of ownership that organizations incur.
FIG. 1 (background art) is a stylized block diagram depicting how a common implementation of this architecture is to establish a single user group on the domain controller machine(s) known as the “Domain Administrators Group,” and to then ensure that this Domain Administrators Group is a member of a group with local privileges on each individual workstation being managed. Typically this the Local Administrators Group, and that example is used herein for consistency. [Placing the Domain Administrators Group as a member of the Local Administrators Group is the default configuration for a Windows™ domain.]
Members of the Local Administrators Group on each system are allowed to make any changes to their local system. Thus, when a system administrator who is a member of the Domain Administrators Group attempts to make a change to a local system, the local system accepts him or her as a member of the Local Administrators Group (which has permissions to make any changes on the local system) and allows the change to occur.
It is also common, however, to permit individual users in the domain to be members of the Local Administrators Groups of their own individual computers. This allows them to install software packages and perform minor maintenance without the need for intervention by the system administrators, a highly desirable aspect of reducing the total cost of ownership.
Unfortunately, allowing individual users to be members of the Local Administrators Group can also lead to undesirable consequences which can dramatically increase the total cost of ownership. These sometimes untrained, ill advised, or simply malicious users are able to perform any change locally, including undoing configuration changes made by the system administrators. For example, these local users can simply remove the Domain Administrators Group from the Local Administrators Group, thus preventing the domain administrators from making changes on the local machine. This can lead to security problems and increased cost of ownership for the organization.